[lxc-devel] Getting some hooks into the container configuration

[Serge Hallyn]

Quoting Stéphane Graber (stgraber at ubuntu.com):
> On 05/25/2012 04:17 AM, Matthijs Kooijman wrote:
> > Hi Stéphane,
> > 
> >>  - stop: Is run after the container died
> >> [...]
> >> Potential other hooks include pre-start and post-stop
> > What would be the difference between stop and post-stop, if stop also
> > runs _after_ the container died?
> > 
> > Gr.
> > 
> > Matthijs
> 
> It'd be run after the umount has been done.
> 
> But that got me to go and read the OpenVZ definition of these and made
> me catch a "small" detail I had missed.
> 
> The start and stop hooks in OpenVZ are actually run in the container's
> namespaces.
> 
> Basically the timeline would be:
>  - HOOK: pre-start (host namespace)

For encrypted container rootfs, we probably want to be roughly
here.  We want to happen before lxc fstab entries get mounted.
But, we'd want that done in the container namespace, but before
all other mounts happen.

By 'host namespace' did you mean 'pre-pivotroot'?

>  - LXC: mount rootfs and fstab entries
>  - HOOK: mount (host namespace)

Special bind mounts with mounts propagation from the host could
be done here.  But again they should be done in the container
namespace, but before pivot-root.

Special device creation.

>  - LXC: spawn init
>  - HOOK: start (container namespace)

Hm, how do you see this lining up with init's exec?  Does init
get stopped on exec with ptrace, or does the hook just run in
parallel with init?

>  - USER: do whatever they want in the container
>  - LXC: stops the container
>  - HOOK: stop (container namespace)

Dunno.

>  - LXC: kill the container
>  - HOOK: umount (host namespace)

Not sure.  umounting should get done automatically by the
namespace disappearing.

>  - LXC: umount rootfs and fstab entries
>  - HOOK: post-stop (host namespace)

ping an admin?  not sure.

> Based on OpenVZ documentation, if we aim at implementing something
> similar, then:
>  - "start" would be run inside the container (but script lives outside
> of it) and called right before init is spawned.
>  - "stop" would be run inside the container (but script lives outside of
> it) and called right after init dies.
> 
> I must admit never having used these two and I'm a bit unsure whether
> they are really that useful and whether we can even implement them with
> the current state of things.
> 
> 
> Something else I didn't mention in my original post is the behavior on
> exit failure for the hooks. OpenVZ typically treats any non-zero return
> code as a failure and tries to kill the container but without calling
> any additional hook.
> For example, a failure in the "start" hook will cause the container to
> be shutdown and unmounted but without calling the stop, umount or
> post-stop hooks.

I think that's reasonable.

> (I'm mostly looking at
> http://download.openvz.org/doc/OpenVZ-Users-Guide.pdf in the "OpenVZ
> Action Scripts" section)

-serge